The patch titled Subject: fs/proc: don't expose absolute kernel addresses via wchan has been added to the -mm tree. Its filename is fs-proc-dont-expose-absolute-kernel-addresses-via-wchan.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/fs-proc-dont-expose-absolute-kernel-addresses-via-wchan.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/fs-proc-dont-expose-absolute-kernel-addresses-via-wchan.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ingo Molnar <mingo@xxxxxxxxxx> Subject: fs/proc: don't expose absolute kernel addresses via wchan wchan leaks absolute kernel addresses to unprivileged user-space, of kernel functions that sleep: static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { unsigned long wchan; char symname[KSYM_NAME_LEN]; wchan = get_wchan(task); if (lookup_symbol_name(wchan, symname) < 0) { if (!ptrace_may_access(task, PTRACE_MODE_READ)) return 0; seq_printf(m, "%lu", wchan); } else { seq_printf(m, "%s", symname); } return 0; } So for example it trivially leaks the KASLR offset to any local attacker: fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35) ffffffff8123b380 Most real-life uses of wchan are symbolic: ps -eo pid:10,tid:10,wchan:30,comm and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat: triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1 open("/proc/30833/wchan", O_RDONLY) = 6 These days there's very little legitimate reason user-space would be interested in the absolute address. The absolute address is mostly historic: from the days when we didn't have kallsyms and user-space procps had to do the decoding itself via the System.map. So this patch sets all numeric output to 0 and keeps the symbolic output in /proc/PID/wchan. ( The absolute sleep address can generally still be profiled via perf, by tasks with sufficient privileges. ) Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx> Reviewed-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Acked-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Alexander Potapenko <glider@xxxxxxxxxx> Cc: Andrey Konovalov <andreyknvl@xxxxxxxxxx> Cc: Andrey Ryabinin <ryabinin.a.a@xxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxxxx> Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx> Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Cc: Kostya Serebryany <kcc@xxxxxxxxxx> Cc: Mike Galbraith <efault@xxxxxx> Cc: Peter Zijlstra <a.p.zijlstra@xxxxxxxxx> Cc: Sasha Levin <sasha.levin@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Link: http://lkml.kernel.org/r/20150930071537.GA19048@xxxxxxxxx Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/proc/array.c | 6 ++---- fs/proc/base.c | 7 +------ 2 files changed, 3 insertions(+), 10 deletions(-) diff -puN fs/proc/array.c~fs-proc-dont-expose-absolute-kernel-addresses-via-wchan fs/proc/array.c --- a/fs/proc/array.c~fs-proc-dont-expose-absolute-kernel-addresses-via-wchan +++ a/fs/proc/array.c @@ -375,7 +375,7 @@ int proc_pid_status(struct seq_file *m, static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { - unsigned long vsize, eip, esp, wchan = ~0UL; + unsigned long vsize, eip, esp; int priority, nice; int tty_pgrp = -1, tty_nr = 0; sigset_t sigign, sigcatch; @@ -454,8 +454,6 @@ static int do_task_stat(struct seq_file unlock_task_sighand(task, &flags); } - if (permitted && (!whole || num_threads < 2)) - wchan = get_wchan(task); if (!whole) { min_flt = task->min_flt; maj_flt = task->maj_flt; @@ -507,7 +505,7 @@ static int do_task_stat(struct seq_file seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); - seq_put_decimal_ull(m, ' ', wchan); + seq_puts(m, " 0"); /* Used to be numeric wchan - replaced by /proc/PID/wchan */ seq_put_decimal_ull(m, ' ', 0); seq_put_decimal_ull(m, ' ', 0); seq_put_decimal_ll(m, ' ', task->exit_signal); diff -puN fs/proc/base.c~fs-proc-dont-expose-absolute-kernel-addresses-via-wchan fs/proc/base.c --- a/fs/proc/base.c~fs-proc-dont-expose-absolute-kernel-addresses-via-wchan +++ a/fs/proc/base.c @@ -430,13 +430,8 @@ static int proc_pid_wchan(struct seq_fil wchan = get_wchan(task); - if (lookup_symbol_name(wchan, symname) < 0) { - if (!ptrace_may_access(task, PTRACE_MODE_READ)) - return 0; - seq_printf(m, "%lu", wchan); - } else { + if (!lookup_symbol_name(wchan, symname)) seq_printf(m, "%s", symname); - } return 0; } _ Patches currently in -mm which might be from mingo@xxxxxxxxxx are fs-proc-dont-expose-absolute-kernel-addresses-via-wchan.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html